Metrics provided by Secrets Store CSI Driver
The Secrets Store CSI Driver uses opentelemetry for reporting metrics. This project is under active development
Prometheus is the only exporter that’s currently supported with the driver.
List of metrics provided by the driver
Note: The OpenTelemetry Prometheus exporter appends a
_totalsuffix to counter instruments (see open-telemetry/opentelemetry-go#3360). The names below are the names as they appear on the/metricsendpoint.
| Metric | Description | Tags |
|---|---|---|
| node_publish_total | Total number of successful volume mount requests | os_type=<runtime os> |
provider=<provider name> | ||
| node_unpublish_total | Total number of successful volume unmount requests | os_type=<runtime os> |
| node_publish_error_total | Total number of errors with volume mount requests | os_type=<runtime os> |
provider=<provider name> | ||
error_type=<error code> | ||
| node_unpublish_error_total | Total number of errors with volume unmount requests | os_type=<runtime os> |
| sync_k8s_secret_total | Total number of k8s secrets synced | os_type=<runtime os> |
provider=<provider name> | ||
| k8s_secret_duration_sec | Distribution of how long it took to sync k8s secret | os_type=<runtime os> |
| rotation_reconcile_total | Total number of rotation reconciles | os_type=<runtime os> |
provider=<provider name> | ||
rotated=<true or false> | ||
| rotation_reconcile_error_total | Total number of rotation reconciles with error | os_type=<runtime os> |
provider=<provider name> | ||
rotated=<true or false> | ||
error_type=<error code> | ||
| rotation_reconcile_duration_sec | Distribution of how long it took to rotate secrets-store content for pods | os_type=<runtime os> |
Metrics are served from port 8095, but this port is not exposed outside the pod by default. Use kubectl port-forward to access the metrics over localhost:
kubectl port-forward ds/csi-secrets-store -n kube-system 8095:8095 &
curl localhost:8095/metrics
Note: Metrics are only emitted from driver pods that have actually performed the corresponding work (e.g. a volume mount, unmount, or rotation reconcile). When port-forwarding a single pod for validation, it is possible to hit a pod that has not yet served any requests and therefore exposes no driver-specific metrics. Trigger the relevant action against that pod, or query all pods, to see the metrics.
Sample Metrics output
# HELP k8s_secret_duration_sec Distribution of how long it took to sync k8s secret
# TYPE k8s_secret_duration_sec histogram
k8s_secret_duration_sec_bucket{os_type="linux",le="0.1"} 0
k8s_secret_duration_sec_bucket{os_type="linux",le="0.2"} 0
k8s_secret_duration_sec_bucket{os_type="linux",le="0.3"} 0
k8s_secret_duration_sec_bucket{os_type="linux",le="0.4"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="0.5"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="1"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="1.5"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="2"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="2.5"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="3"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="5"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="10"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="15"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="30"} 1
k8s_secret_duration_sec_bucket{os_type="linux",le="+Inf"} 1
k8s_secret_duration_sec_sum{os_type="linux"} 0.3115892
k8s_secret_duration_sec_count{os_type="linux"} 1
# HELP node_publish_total Total number of node publish calls
# TYPE node_publish_total counter
node_publish_total{os_type="linux",provider="azure"} 1
# HELP node_publish_error_total Total number of node publish calls with error
# TYPE node_publish_error_total counter
node_publish_error_total{error_type="ProviderBinaryNotFound",os_type="linux",provider="azure"} 2
node_publish_error_total{error_type="SecretProviderClassNotFound",os_type="linux",provider=""} 4
# HELP node_unpublish_total Total number of node unpublish calls
# TYPE node_unpublish_total counter
node_unpublish_total{os_type="linux"} 1
# HELP sync_k8s_secret_total Total number of k8s secrets synced
# TYPE sync_k8s_secret_total counter
sync_k8s_secret_total{os_type="linux",provider="azure"} 1